Building The Network You Need With PF, The OpenBSD Packet Filter

BSDCan 2016, Ottawa, Canada, June 8th 2016

Peter N. M. Hansteen


Table of Contents
Where to find these slides online
This Is Not a HOWTO
It All Started With a Copyright Violation
PF: Design Goals, Evolution
PF: Design Goals, Evolution
PF: Design Goals, Evolution
PF: Design Goals, Evolution
PF: Design Goals, Evolution
4.7: Henning's Monster Diff
Post-OpenBSD 4.7 improvements
The Next Big Thing(s): newqueue, MPsafe
Who Uses PF Today
PF - Haiku
Packet Filter? Firewall?
How To Enable?
How To Enable (FreeBSD)
How To Enable (FreeBSD)
How To Enable (NetBSD)
How To Enable (NetBSD)
Simplest Rule Set
Simplest Secure Rule Set
More Than One Rule: Evaluation
The quick Escape
Stateful By Default
Failure modes, aka PEBKAC
Readability: Macros
Readability: Port Ranges
Readability: Lists And Names
Testing Your First Rule Set
A Variation; Slightly Stricter
Testing Your Rule Set
Statistics From pfctl
match (in OpenBSD since 4.6)
Useful Tip #1: set skip
A Gateway - And The Pitfalls
Pitfalls: in, out, on
Keep It Simple: What Is Your Local Network, Anyway?
Simple Gateway (With NAT If You Need To)
NAT vs IPv6
Address families: inet vs inet6
Simple Gateway
Simple Gateway With NAT: 4.7 And Newer
OpenBSD 4.6 Alert: match Rules
Simple Gateway With NAT: Pre-4.7 Version
Simple Gateway With NAT
Testing Your Rule Set
Domain Names And Host Names?
That Sad, Old FTP Thing
If We Have To: ftp-proxy With divert-to (Or Redirection)
ftp-proxy, Pre-4.7
Tables Make Your Life Easier
Table Operations Commands
Making Your Network Troubleshooting Friendly
Then, Do We Let It All Through?
The Easy Way Out: The Buck Stops Here
Letting ping Through
Helping traceroute
Path MTU Discovery
Path MTU Discovery (cont'd)
Some icmp6 sample rules
The other NAT: NAT-six-four
Filtering For Services
Filtering For Services (cont)
Turning Away The Brutes
Turning Away The Brutes: The Rules
Turning Away The Brutes (cont'd)
Turning Away The Brutes (cont'd)
Expiring Table Entries With pfctl
Advanced State Tracking
Advanced State Tracking (cont)
Handling Non-Routable Addresses From Elsewhere
spamd - The Real Reason We Need It
But Really: Giving Spammers a Hard Time
Giving Spammers a Hard Time (cont'd)
Greylisting: See The RFC
Greylisting: My Admin Told Me Not To Talk To Strangers
Giving Spammers a Hard Time: The Rules
Setting Up spamd: spamd.conf
Setting Up spamd - FreeBSD, NetBSD
Setting Up spamd: rc.conf Parameters
Track Real SMTP Connections: spamdlogd
Giving Spammers a Hard Time (cont'd)
Giving Spammers a Hard Time (cont'd)
Giving Spammers a Hard Time (cont'd)
Beating'em up Some More: spamdb and Greytrapping
spamdb and Greytrapping
Greytrapping - The Result
Keeping Several spamds In Sync
Some People Really Do Not Get It
Giving Spammers a Hard Time: Conclusion
Physical Separation: The DMZ
DMZ Rule Set
DMZ Rule Set: Tighten
The Power Of Tags
Tag based on variables
Anchors
Anchors: Commands
Anchors: Rule Set
Anchors: Alternative Structure
Anchors - common criteria 2
Anchors - tag and quick
Including Files
Wireless Networks: Background
Wireless Networks Made Easy
Wireless Networks: WPA Setup
Wireless Networks Made Easy (cont'd)
Wireless Networks Made Easy (cont'd)
authpf: Per User Rules
Basic authpf Setup
Basic authpf Setup (cont)
Basic authpf Setup (cont)
Per User Rules
Wide Open But Actually Shut
Open But Shut: pf.conf
Open But Shut: pf.conf (pre-4.7)
Sharing The Load: Address Pools
relayd
Basic relayd Config
Basic relayd Config (cont)
Basic relayd Config (cont)
relayctl
Relays aka application layer (layer 7) proxies
relayd For TLS (SSL) Load Balancing example
Filtering For Services, NAT Version
Back To The Single NATed Network
Single NAT, Web & Mail Server On The Inside: From The Inside
Single NAT, Web & Mail Server On The Inside: From The Inside
Single NAT, Web & Mail Server On The Inside: From The Inside
Filtering On Interface Groups
VPNs And Tunneling
VPNs: The enc Interface
VPNs: Key Exchange, Misc
The Filtering Bridge
Where Does It Go?
OpenBSD Bridge Setup
FreeBSD Bridge Setup
Bridge PF Filtering Config
Traffic Shaping with Queues and Priorities
Per Rule Priority - prio
Queues For Bandwidth Allocation: Syntax
What Is Your Usable Bandwidth?
Splitting your bandwidth into fixed-size chunks
Fixed-size allocations - match assignment
Upper and Lower Bounds, with Bursts
systat queues
Detailed Monitoring With pfctl -vvsq
Queueing For a DMZ
Queues for DMZ: queue definitions
Queues for DMZ - assigning traffic
Sending undesirables to a slow-moving queue
Matching on operating system
Transition from ALTQ to priorities and queues
Upgrading: The oldqueue trick
Directing Traffic With ALTQ
Setting Up For ALTQ
Setting Up For ALTQ: FreeBSD
Setting Up For ALTQ: NetBSD
ALTQ - What Is Your Usable Bandwidth?
ALTQ - Prioritizing By Traffic Type
ALTQ - Queue Assignment With match Rule
ALTQ - Allocation By Percentage
ALTQ - A Basic HFSC Traffic Shaper
ALTQ - HFSC systat queues View
ALTQ - Queueing For a DMZ
ALTQ - Queueing For a DMZ: Rules Part 1
ALTQ - Queueing For a DMZ: Rules Part 2
ALTQ - Overloading To a Tiny Queue
ALTQ - Handling Unwanted Traffic
CARP And pfsync
CARP: project spec
CARP: Project Spec cont'd
CARP: Project Spec cont'd
Is Your System CARP Ready?
Setting Up CARP
CARP: ifconfig
pfsync
What Happens To The Rule Set?
CARP Config Example
CARP Ruleset
CARP Load Balancing
Load Balancing CARP: ifconfig
Logging
Taking a Peek With tcpdump
tcpdump Is Your Friend
Matching Log Data To Your Rule Set
Matching Log Data To Your Rule Set
Trace packet's rule traversal: log (matches)
Log To Syslog
Statistics Via Labels
Statistics Via Labels
$variable Label Names
$variable Label Names: Example
Keeping An Eye On Things With systat states
Graph Your Traffic: pfstat
New In 4.5: pflow(4) And pflow State Option
pflow In Your Rule Set
pflow: Config The Interface
pflow: Set Up a Collector
Other Log Tools You May Want To Look Into
Good Logs For Good Debugging
Getting Your Setup Just Right
Block Policy
Skip Steps
State Policy
State Defaults (Since 4.5)
Timeouts
Memory Limits
Debug Levels
Ruleset Optimization
Optimization
Fragment Reassembly
Normalization: scrub
antispoof
Testing your setup
Specification (possibly incomplete)
Debugging your setup
Debugging some more
Debug - use tcpdump
Have fun!
If you enjoyed this: Support OpenBSD!
References
Appendix: You came from elsewhere and you're wondering ...
You're wondering ... Linux?
You're wondering ... Learn BSD?
You're wondering ... GUI tools?
You're wondering ... Automatic conversion?
You're wondering ... More info?
Appendix: FreeBSD WEP Access Point
Appendix: FreeBSD WPA Access Point
Appendix: Connection Lengths
Appendix: authpf-noip (Introduced in OpenBSD 4.3)
Relayd DSR support (4.4)
Appendix: scrub, pre-4.6 style